-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support OpenID Connect Front Channel Logout #321
base: master
Are you sure you want to change the base?
Conversation
I'm interested in this as well, so I took some time to investigate... My understanding is that the whole point of the front channel logout mechanism is that it enables the OP to ask the RP to terminate all active sessions for a user, which is why the I'm playing around with AzureAD which supports front channel logout, and in their case (not saying that it is normative) they also support section 3 of the section management specification and provide the So to make it work with AzureAD's interpretation of |
I'm afraid such a mapping depends on how the session is stored. Also I don't think you can look up a session by its id in lua-resty-session, so you cannot destroy any session other than "the current one". Also, there always is only one session attached to a single browser instance (modulo anonymous mode) as at least the session id is stored in a single session cookie. |
If the session is stored entirely in the cookie, then obviously it is impossible to destroy any other session than the one associated with the browser which is executing the requests, but for the other storage adapters it should be possible. I have looked through the source code of lua-resty-session and currently exploring the idea to create either a custom session strategy, or a storage adapter which wraps one of the existing ones (except cookie) to maintain the |
I've thought about a similar approach as well - a wrapper around existing session strategies. This would allow us to support backchannel logout as well. |
I have a prototype strategy going which which works in my tests with
The strategy wraps/inherits another strategy and overrides If I can get this to work reliably, extending the concept to support back-channel logout would be easy. Edit: A closer look at the back-channel logout spec: the Realizing that I may be hijacking this PR for a broader discussion, please advise if there is a more appropriate place to discuss this. |
see #308 Signed-off-by: Stefan Bodewig <[email protected]>
@bodewig do you want me to consider this pull request before releasing, or should I release 1.7.3 as master is right now |
Unfortunately my weekends have been devoted to other things lately, I've been meaning to come back to this to verify @eriksunsol 's comment that I may have misunderstood the spec. In that case merging this PR wouldn't be a good idea, I'm not sure when I will find time to re-read the spec (and my implementation, it's been a while). Let's not hold up the next release and rather be quick with another one once we've sorted things out. |
I implemented front-channel logout with my IdP using OIDC Session Management and the end-session-endpoint. I had to extend "on_authenticated" to save the session_state to the session, so I can use it later (at the front end)
The logout is initiated from the client by calling logout with "Accept: image/png" after receiving a "changed" notification. This may not be suitable for everyone but served my needs. |
FWIW: I think front channel logout is on its way to be deprecated by spec because of recent/upcoming browser changes wrt. 3rd-party cookie handling. |
this adds a function that can be used as lua content handler for a frontchannel logout URI.
see also #308